A case of overcorrection: how the FTC's regulation of "unfair acts and practices" is unfair to small businesses.

• Author: West, Jennifer L.

Table of Contents Introduction I. History of the FTC's Unfairness Authority in Data Security Cases A. Pre-1980 B. Post-1980 II. The FTC's Data Security Cases A. Settlements and Consent Decrees B. Litigation: FTC v. Wyndham Worldwide Corp. and FTC v. LabMD, Inc C. The Unfairness Test Today III. The Antitrust Rule of Reason as a Guideline for Applying the Unfairness Test A. The Current Application of the Unfairness Test Harms Competition 1. The Unfairness Test Is Vague, and the FTC's Current Application of It Is Unpredictable 2. The FTC's Proposed Data Security Measures Are Too Costly with Little Incentive to Challenge Them 3. The FTC's Proposed Data Security Measures Harm Innovation B. A New Framework C. Why This Framework? Conclusion INTRODUCTION

The Federal Trade Commission (FTC) has used section 5 of the Federal Trade Commission Act of 1914 (FTC Act) to regulate companies' data security practices since 2002. (1) Section 5 of the FTC Act empowers the FTC to regulate "unfair or deceptive acts or practices." (2) When the FTC first began using this power in the realm of data security, it focused on its deceptiveness power rather than its unfairness power. (3) The deceptiveness power permits the FTC to investigate cases involving "a representation, omission or practice that is likely to mislead the consumer." (4) In the realm of data security, the FTC uses this power to file complaints against companies who have "deceived" consumers by violating their own privacy policies. (5) The problem is that when companies have exercised poor data security practices but have not violated their internal privacy policies--either because their policies are not comprehensive enough or because they do not have a privacy policy at all--those practices are not considered "deceptive" and thus are beyond the FTC's reach under its deceptiveness power. (6) As a result, the FTC has broadened its own reach by filing data security complaints under its unfairness power. (7)

The FTC uses a three-prong test, codified in 1994, (8) for finding unfair acts or practices in data security cases. [9] Under that test, the injury (1) "must be substantial"; (2) "must not be outweighed by any countervailing benefits to consumers or competition that the practice produces"; and (3) "must be an injury that consumers themselves could not reasonably have avoided." (10) Despite the FTC having initiated more than fifty data security proceedings since 2002, (11) this unfairness test remains vague and largely unsettled. (12)

The FTC's current application of the unfairness test is harmful to competition because it imposes a substantial burden on small businesses and hinders them from successfully competing in the market. (13) Due to the vague nature of the unfairness test, small businesses cannot anticipate what constitutes a breach and therefore cannot ensure that their practices pass FTC muster. (14) Consequently, small businesses either avoid taking risks and shy away from innovation, or they face the FTC's hefty settlement demands, which are not adequately tailored to the size and resources of each business. (15) Either way, the FTC's current practices harm competition by making small businesses unwilling or unable to compete in any meaningful way. (16)

Although the FTC claims it tailors its data security regulation to individual companies' particular circumstances, (17) in practice its settlement agreements with various companies are all nearly identical. (18) Each settlement involves what is known as a "consent order" or "consent decree," in which a company agrees to implement typically twenty years of costly and time-consuming corrective data security measures. (19) These measures are problematic because they are far too costly for small businesses that do not have the manpower or money to implement them. (20)

Even though businesses technically "agree" to these consent decrees through settlement, the FTC essentially forces them into these agreements because these businesses have little ability or incentive to litigate. (21) This problem is especially true for small businesses for two principal reasons. First, litigation is too expensive and time-consuming. (22) For example, the cost of litigation in FTC v. LabMD, Inc., effectively shut down a business. (23) LabMD, Inc., is an Atlanta-based cancer-detecting laboratory (24) that used to test specimen samples taken from patients by their health care providers. (25) The FTC filed a complaint against LabMD for a potential breach of patient information when a third party found the personal information of some of LabMD's patients on Limewire, a peer-to-peer (P2P) file-sharing network. (26) Instead of signing a consent decree like almost every other company, LabMD challenged the FTC through litigation. (27) Ultimately, the FTC won the battle. (28) LabMD no longer accepts new patients and merely exists to preserve test samples and to make available past test results. (29) Additionally, LabMD must now adhere to one of the FTC's twentyyear data security plans that is included in every consent decree.30

The second reason small businesses have little ability or incentive to litigate is that the FTC benefits from tremendous institutional bias. (31) Even though the administrative law judges (ALJs) are separate from the investigative arm of the FTC, that bias still apparently exists because the FTC has affirmed judgment in every case in which the ALJ found in favor of the FTC staff, but has reversed judgement in every case in which the ALJ found against the FTC staff. (32)

If the FTC continues to use its unfairness power in this way, then it will harm competition by running smaller businesses out of the market, leaving the big businesses that can afford to settle with the FTC as market monopolies. (33) Ultimately, consumers will be left without adequate, affordable choices for all types of products and services. (34)

To remedy this problem, the FTC should apply a framework similar to the antitrust rule of reason to the balancing prong of its unfairness test--that is, the harm to consumers must not be "outweighed by countervailing benefits to consumers or to competition." (35) The antitrust rule of reason consists of a burden-shifting analysis focused on competitive effects of particular acts or practices. (3),i For purposes of the unfairness test, the FTC should focus on whether its own methods of regulating data security acts or practices are actually anticompetitive by forcing companies out of the market. (37) By considering these effects, the FTC will be forced to more adequately tailor its regulation of data security to the size and resources of each business. This modification will give the FTC's largely ad hoc approach a great deal more consistency and will benefit competition--and therefore consumers-in the long term.

Part I of this Note discusses the FTC's power to regulate data security. It surveys the history of the FTC's section 5 authority generally and how the FTC began to use this authority in data security cases. Part II details the data security cases the FTC has pursued under section 5. It discusses the settlements, or "consent decrees," the FTC has entered into with various companies, the two major cases that challenged the FTC's data security complaints and underwent extensive litigation, and the unfairness test as it stands today. Part III explores the problems with the current analysis under the unfairness test and the corresponding potential harms to smaller businesses. Part III then proposes a new framework by discussing the antitrust rule of reason and follows with an explanation as to why this framework is better suited to deal with data security issues than the current framework.

1. HISTORY OF THE FTC'S UNFAIRNESS AUTHORITY IN DATA SECURITY CASES

   1. Pre-1980

      In the FTC Act, Congress established the FTC and charged it with preventing anticompetitive practices. (38) Congress later gave the FTC its broad unfairness authority when it amended section 5 of the FTC Act in (1938). (39) Also known as the Wheeler-Lea Act, this amendment made "[u]nfair methods of competition in commerce, and unfair or deceptive acts or practices in commerce" unlawful. (40) Under these provisions, the FTC held the authority to protect consumers directly by enforcing these provisions against businesses. (41)

      The FTC initially failed to distinguish between unfair acts or practices and deceptive acts or practices, and treated section 5 of the FTC Act as if the provision said "and," instead of "or." (42) In 1964 the FTC then distinguished between the two when it released the Cigarette Rule Statement of Basis and Purpose. (43) In that statement, the FTC summed up the unfairness test in three prongs: in cases involving unfair acts or practices, the FTC would consider "(1) whether the practice ... offends public policy as it has been established by statutes, the common law, or otherwise ... ; (2) whether it is immoral, unethical, oppressive, or unscrupulous; [and] (3) whether it causes substantial injury to consumers (or competitors or other businessmen)." (44)

      In 1972 the Supreme Court in FTC v. Sperry & Hutchinson Co. took the position that section 5 "empower [s] the Commission to define and proscribe an unfair competitive practice, even though the practice does not infringe either the letter or the spirit of the antitrust laws." (45) Section 5 also "empowerjs] the Commission to proscribe practices as unfair or deceptive in their effect upon consumers regardless of their nature or quality as competitive practices or their effect on competition." (46)

      Although the Supreme Court approved of the FTC's broad power, it still failed to provide the FTC with any guidance for applying these three prongs. (47) For the next eight years, the FTC inconsistently applied its unfairness power in a variety of cases. (48) To solve this problem and to answer questions from Congress and many others, the FTC passed the FTC Policy...